Backed out changeset 16c03995ac55 (bug 1539759) for causing Buffer Overflow in nsExpatDriver.cpp

--HG-- extra : rebase_source : 0b9e64681becc725d8550f4a6820166ce8fba2bf
2019-05-13 18:16:39 +03:00 · 2019-05-13 18:16:39 +03:00 · 8187c0826d
commit 8187c0826d
parent 1390ecd567
4 changed files with 60 additions and 105 deletions
--- a/parser/expat/lib/expat.h
+++ b/parser/expat/lib/expat.h
@ -1056,11 +1056,6 @@ XMLPARSEAPI(const XML_Char*)
 MOZ_XML_GetMismatchedTag(XML_Parser parser);
 /* END MOZILLA CHANGE */

-/* BEGIN MOZILLA CHANGE (Report whether the parser is currently expanding an entity) */
-XMLPARSEAPI(XML_Bool)
-MOZ_XML_ProcessingEntityValue(XML_Parser parser);
-/* END MOZILLA CHANGE */
-
 #ifdef __cplusplus
 }
 #endif
--- a/parser/expat/lib/xmlparse.c
+++ b/parser/expat/lib/xmlparse.c
@ -2462,13 +2462,6 @@ MOZ_XML_GetMismatchedTag(XML_Parser parser)
 }
 /* END MOZILLA CHANGE */

-/* BEGIN MOZILLA CHANGE (Report whether the parser is currently expanding an entity) */
-XML_Bool XMLCALL
-MOZ_XML_ProcessingEntityValue(XML_Parser parser) {
-  return openInternalEntities != NULL;
-}
-/* END MOZILLA CHANGE */
-
 /* Initially tag->rawName always points into the parse buffer;
   for those TAG instances opened while the current parse buffer was
   processed, and not yet closed, we need to store tag->rawName in a more
--- a/parser/htmlparser/nsExpatDriver.cpp
+++ b/parser/htmlparser/nsExpatDriver.cpp
@ -54,6 +54,21 @@ static void Driver_HandleXMLDeclaration(void* aUserData,
  }
 }

+static void Driver_HandleStartElement(void* aUserData, const XML_Char* aName,
+                                      const XML_Char** aAtts) {
+  NS_ASSERTION(aUserData, "expat driver should exist");
+  if (aUserData) {
+    static_cast<nsExpatDriver*>(aUserData)->HandleStartElement(aName, aAtts);
+  }
+}
+
+static void Driver_HandleEndElement(void* aUserData, const XML_Char* aName) {
+  NS_ASSERTION(aUserData, "expat driver should exist");
+  if (aUserData) {
+    static_cast<nsExpatDriver*>(aUserData)->HandleEndElement(aName);
+  }
+}
+
 static void Driver_HandleCharacterData(void* aUserData, const XML_Char* aData,
                                       int aLength) {
  NS_ASSERTION(aUserData, "expat driver should exist");
@ -252,104 +267,41 @@ nsExpatDriver::~nsExpatDriver() {
  }
 }

-/* static */
-void nsExpatDriver::HandleStartElement(void* aUserData, const char16_t* aName,
-                                       const char16_t** aAtts) {
-  nsExpatDriver* self = static_cast<nsExpatDriver*>(aUserData);
-
-  NS_ASSERTION(self->mSink, "content sink not found!");
+nsresult nsExpatDriver::HandleStartElement(const char16_t* aValue,
+                                           const char16_t** aAtts) {
+  NS_ASSERTION(mSink, "content sink not found!");

  // Calculate the total number of elements in aAtts.
  // XML_GetSpecifiedAttributeCount will only give us the number of specified
  // attrs (twice that number, actually), so we have to check for default attrs
  // ourselves.
  uint32_t attrArrayLength;
-  for (attrArrayLength = XML_GetSpecifiedAttributeCount(self->mExpatParser);
+  for (attrArrayLength = XML_GetSpecifiedAttributeCount(mExpatParser);
       aAtts[attrArrayLength]; attrArrayLength += 2) {
    // Just looping till we find out what the length is
  }

-  if (self->mSink) {
-    nsresult rv = self->mSink->HandleStartElement(
-        aName, aAtts, attrArrayLength,
-        XML_GetCurrentLineNumber(self->mExpatParser),
-        XML_GetCurrentColumnNumber(self->mExpatParser));
-    self->MaybeStopParser(rv);
+  if (mSink) {
+    nsresult rv = mSink->HandleStartElement(
+        aValue, aAtts, attrArrayLength, XML_GetCurrentLineNumber(mExpatParser),
+        XML_GetCurrentColumnNumber(mExpatParser));
+    MaybeStopParser(rv);
  }
-}
-
-static nsresult AppendErrorPointer(const int32_t aColNumber,
-                                   const char16_t* aSourceLine,
-                                   nsString& aSourceString) {
-  aSourceString.Append(char16_t('\n'));
-
-  // Last character will be '^'.
-  int32_t last = aColNumber - 1;
-  int32_t i;
-  uint32_t minuses = 0;
-  for (i = 0; i < last; ++i) {
-    if (aSourceLine[i] == '\t') {
-      // Since this uses |white-space: pre;| a tab stop equals 8 spaces.
-      uint32_t add = 8 - (minuses % 8);
-      aSourceString.AppendASCII("--------", add);
-      minuses += add;
-    } else {
-      aSourceString.Append(char16_t('-'));
-      ++minuses;
-    }
-  }
-  aSourceString.Append(char16_t('^'));

  return NS_OK;
 }

-/* static */
-void nsExpatDriver::HandleStartElementForSystemPrincipal(
-    void* aUserData, const char16_t* aName, const char16_t** aAtts) {
-  nsExpatDriver* self = static_cast<nsExpatDriver*>(aUserData);
-
-  if (!MOZ_XML_ProcessingEntityValue(self->mExpatParser)) {
-    HandleStartElement(aUserData, aName, aAtts);
-  } else {
-    nsCOMPtr<Document> doc =
-        do_QueryInterface(self->mOriginalSink->GetTarget());
-
-    // Adjust the column number so that it is one based rather than zero based.
-    uint32_t colNumber = XML_GetCurrentColumnNumber(self->mExpatParser) + 1;
-    uint32_t lineNumber = XML_GetCurrentLineNumber(self->mExpatParser);
-
-    nsAutoString sourceText(self->mLastLine);
-    AppendErrorPointer(colNumber, self->mLastLine.get(), sourceText);
-
-    nsContentUtils::ReportToConsoleNonLocalized(
-        NS_LITERAL_STRING("Ignored element created from entity value."),
-        nsIScriptError::warningFlag, NS_LITERAL_CSTRING("XML Document"), doc,
-        nullptr, sourceText, lineNumber, colNumber);
-  }
-}
-
-/* static */
-void nsExpatDriver::HandleEndElement(void* aUserData, const char16_t* aName) {
-  nsExpatDriver* self = static_cast<nsExpatDriver*>(aUserData);
-
-  NS_ASSERTION(self->mSink, "content sink not found!");
-  NS_ASSERTION(self->mInternalState != NS_ERROR_HTMLPARSER_BLOCK,
+nsresult nsExpatDriver::HandleEndElement(const char16_t* aValue) {
+  NS_ASSERTION(mSink, "content sink not found!");
+  NS_ASSERTION(mInternalState != NS_ERROR_HTMLPARSER_BLOCK,
               "Shouldn't block from HandleStartElement.");

-  if (self->mSink && self->mInternalState != NS_ERROR_HTMLPARSER_STOPPARSING) {
-    nsresult rv = self->mSink->HandleEndElement(aName);
-    self->MaybeStopParser(rv);
+  if (mSink && mInternalState != NS_ERROR_HTMLPARSER_STOPPARSING) {
+    nsresult rv = mSink->HandleEndElement(aValue);
+    MaybeStopParser(rv);
  }
-}

-/* static */
-void nsExpatDriver::HandleEndElementForSystemPrincipal(void* aUserData,
-                                                       const char16_t* aName) {
-  nsExpatDriver* self = static_cast<nsExpatDriver*>(aUserData);
-
-  if (!MOZ_XML_ProcessingEntityValue(self->mExpatParser)) {
-    HandleEndElement(aUserData, aName);
-  }
+  return NS_OK;
 }

 nsresult nsExpatDriver::HandleCharacterData(const char16_t* aValue,
@ -694,6 +646,31 @@ static nsresult CreateErrorText(const char16_t* aDescription,
  return NS_OK;
 }

+static nsresult AppendErrorPointer(const int32_t aColNumber,
+                                   const char16_t* aSourceLine,
+                                   nsString& aSourceString) {
+  aSourceString.Append(char16_t('\n'));
+
+  // Last character will be '^'.
+  int32_t last = aColNumber - 1;
+  int32_t i;
+  uint32_t minuses = 0;
+  for (i = 0; i < last; ++i) {
+    if (aSourceLine[i] == '\t') {
+      // Since this uses |white-space: pre;| a tab stop equals 8 spaces.
+      uint32_t add = 8 - (minuses % 8);
+      aSourceString.AppendASCII("--------", add);
+      minuses += add;
+    } else {
+      aSourceString.Append(char16_t('-'));
+      ++minuses;
+    }
+  }
+  aSourceString.Append(char16_t('^'));
+
+  return NS_OK;
+}
+
 nsresult nsExpatDriver::HandleError() {
  int32_t code = XML_GetErrorCode(mExpatParser);
  NS_ASSERTION(code > XML_ERROR_NONE, "unexpected XML error code");
@ -1064,12 +1041,8 @@ nsExpatDriver::WillBuildModel(const CParserContext& aParserContext,

  // Set up the callbacks
  XML_SetXmlDeclHandler(mExpatParser, Driver_HandleXMLDeclaration);
-  if (doc && doc->NodePrincipal()->IsSystemPrincipal()) {
-    XML_SetElementHandler(mExpatParser, HandleStartElementForSystemPrincipal,
-                          HandleEndElementForSystemPrincipal);
-  } else {
-    XML_SetElementHandler(mExpatParser, HandleStartElement, HandleEndElement);
-  }
+  XML_SetElementHandler(mExpatParser, Driver_HandleStartElement,
+                        Driver_HandleEndElement);
  XML_SetCharacterDataHandler(mExpatParser, Driver_HandleCharacterData);
  XML_SetProcessingInstructionHandler(mExpatParser,
                                      Driver_HandleProcessingInstruction);
--- a/parser/htmlparser/nsExpatDriver.h
+++ b/parser/htmlparser/nsExpatDriver.h
@ -33,14 +33,8 @@ class nsExpatDriver : public nsIDTD, public nsITokenizer {
  int HandleExternalEntityRef(const char16_t* aOpenEntityNames,
                              const char16_t* aBase, const char16_t* aSystemId,
                              const char16_t* aPublicId);
-  static void HandleStartElement(void* aUserData, const char16_t* aName,
-                                 const char16_t** aAtts);
-  static void HandleStartElementForSystemPrincipal(void* aUserData,
-                                                   const char16_t* aName,
-                                                   const char16_t** aAtts);
-  static void HandleEndElement(void* aUserData, const char16_t* aName);
-  static void HandleEndElementForSystemPrincipal(void* aUserData,
-                                                 const char16_t* aName);
+  nsresult HandleStartElement(const char16_t* aName, const char16_t** aAtts);
+  nsresult HandleEndElement(const char16_t* aName);
  nsresult HandleCharacterData(const char16_t* aCData, const uint32_t aLength);
  nsresult HandleComment(const char16_t* aName);
  nsresult HandleProcessingInstruction(const char16_t* aTarget,